Path Traversal
Hola 👋 welcome back, guys! Here is my write-up on all the labs in Path Traversal on Web Sec Academy, curated in one place. I will go through how I solved each lab. Let’s get started!
What is Path Traversal 🤔
Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. This might include: Application code and data, Credentials for back-end systems, Sensitive operating system files.
Lab #1: File Path traversal, Simple Case
End Goal:
- This lab contains a path traversal vulnerability in the display of product images. To solve the lab, retrieve the contents of the /etc/passwd file.
- In Burp, check for any image product request and send it to the Repeater tab.
- This application implements no defenses against path traversal attacks. By modifying the request, we can retrieve the /etc/passwd file from the server’s filesystem by stepping up one level in the directory structure. The three consecutive ../ sequences step up from /var/www/images/ to the filesystem root, and so the file that is actually read is /etc/passwd. We receive a 200 OK status code after modifying the value of the filename parameter to
../../../etc/passwd. indicating that the request was successful. We’ve successfully solved the first lab. Nice! Let’s move on to the next one.
Lab #2: File path traversal, traversal sequences blocked with absolute path bypass
End Goal:
- This lab contains a path traversal vulnerability in the display of product images. The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory.
- To solve the lab, retrieve the contents of the /etc/passwd file.
- So, send any request for an image product to the Repeater tab. By modifying the request, we can use an absolute path (an absolute path is a file or directory location specified from the root directory, represented by /) to access the /etc/passwd file on the server. Specify /etc/passwd as the value of the filename parameter, and we solve the lab. Let’s move on.
Lab #3: File path traversal, traversal sequences stripped non-recursively
End Goal:
- To solve the lab, retrieve the contents of the /etc/passwd file.
- Send any image product request to the Repeater tab. We are going to use nested traversal sequences, such as ….// or ….\/, which are techniques used in path traversal attacks to bypass input validation filters. To access the /etc/passwd file on the server, put this path in the value of the filename parameter. This will solve the lab.
Lab #4: File path traversal, traversal sequences stripped with superfluous URL-decode
End Goal:
- This lab contains a path traversal vulnerability in the display of product images. To solve the lab, retrieve the contents of the /etc/passwd file.
- To solve this lab, we can sometimes bypass this kind of sanitization by URL encoding, or even double URL encoding, the ../ characters. This results in %2e%2e%2f and %252e%252e%252f, respectively. Various non-standard encodings, such as ..%c0%af or ..%ef%bc%8f, may also work. Send any image product request to the Repeater tab. modify the filename parameter given it the value.
Lab #5: File path traversal, validation of start of path
End Goal:
This lab contains a path traversal vulnerability in the display of product images. To solve the lab, retrieve the contents of the /etc/passwd file.
- Using Burp Suite, send any product image request to the Repeater tab. Modify the filename parameter, giving it the value: /var/www/images/../../../etc/passwd to start at the base folder. This will solve the lab. Let’s move on to the last lab.
Lab #6: File path traversal, validation of file extension with null byte bypass
End Goal:
This lab contains a path traversal vulnerability in the display of product images. To solve the lab, retrieve the contents of the /etc/passwd file.
- Send any product image request to the Repeater tab and modify the value of the parameter filename by using a null byte to terminate the file path before the required extension. Set the filename parameter to ../../../etc/passwd%00.png.
How to prevent a path traversal attack
1) Validate all user inputs to filter out any unexpected characters or patterns.
2) Employ allowlists to restrict file access exclusively to known, safe paths.
3) Use allowlists or whitelists to restrict file access to known, safe paths. and so on.
That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!